Use Fireactions runners for self-hosted CI jobs

[prop-opentensor]

Summary

• replace existing self-hosted Hetzner CCX runner labels with Fireactions labels
• keep GitHub-hosted jobs and plain Benchmarking jobs unchanged
• route devnet/testnet checks to fireactions-tryruntime and finney/mainnet checks to fireactions-tryruntime-finney

Capacity mapping

Category	Runner	Current online capacity	Expected peak from this PR
Short/light jobs	fireactions-light	16	up to 6 from check-rust, plus small metadata jobs
Long build/test/docker jobs	fireactions-heavy	16	up to 5 from TypeScript E2E; most others 1-2
Devnet/testnet try-runtime/spec/smoke	fireactions-tryruntime	2	try-runtime.yml can use both
Finney/mainnet try-runtime/spec/smoke	fireactions-tryruntime-finney	1	intentionally single-lane

Notes

• fireactions-mini is not used.
• scheduled-smoke-tests.yml uses matrix.runner so smoke_mainnet and smoke_testnet can target different try-runtime lanes.
• Benchmarking remains only in benchmark workflows.

Validation

• git grep -n "type-ccx" -- .github/workflows returned no matches
• git grep -n "fireactions-mini" -- .github/workflows returned no matches
• git grep -n "runs-on: Benchmarking" -- .github/workflows only returns apply-benchmark-patch.yml and run-benchmarks.yml
• git diff --check -- .github/workflows passed
• actionlint v1.7.12 .github/workflows/scheduled-smoke-tests.yml passed

[github-actions]

🚨🚨🚨 HOTFIX DETECTED 🚨🚨🚨

It looks like you are trying to merge a hotfix PR into main. If this isn't what you wanted to do, and you just wanted to make a regular PR, please close this PR, base your changes off the devnet-ready branch and open a new PR into devnet ready.

If you are trying to merge a hotfix PR, please complete the following essential steps:

1. go ahead and get this PR into main merged, so we can get the change in as quickly as possible!
2. merge main into testnet, bumping spec_version
3. deploy testnet
4. merge testnet into devnet, bumping spec_version
5. deploy devnet
6. merge devnet into devnet-ready

If you do not complete these steps, your hotfix may be inadvertently removed in the future when branches are promoted to main, so it is essential that you do so.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: author has admin permission; no Gittensor association found; branch is fireactions-ci-runners -> main with a hotfix label.

The diff only changes workflow runner labels and does not modify .github/ai-review/* or .github/copilot-instructions.md. I did not find a malicious runner-expression path in the workflow changes themselves.

Findings

Sev	File	Finding
HIGH	PR body / branch metadata	Direct-to-main PR lacks explicit hotfix justification	(off-diff)

Other findings

• [HIGH] Direct-to-main PR lacks explicit hotfix justification (PR body / branch metadata) — This PR targets main from fireactions-ci-runners rather than flowing through devnet-ready / deployment branches. It is labeled hotfix, but the PR body does not explicitly explain why this runner migration must bypass the normal branch strategy. The review policy requires direct-to-main PRs to be justified as hotfixes; add that rationale to the PR body or retarget through the normal branch flow.

Conclusion

The workflow-label migration looks mechanically scoped, but the PR targets main directly without an explicit hotfix justification in the PR body. Per branch-strategy policy, that blocks a SAFE verdict until the direct-to-main rationale is documented or the PR is retargeted.

---

# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE